Skip to content



Wireshark is a software for capturing and analyzing network traffic. It captures the traffic on a specified network interface on the machine where it is being executed. The traffic can be saved in a file for later analysis, possibly on a different machine.

Wireshark is a powerful tool with many capabilities and constitutes “the” choice for professionals. Wireshark may also be useful for learning purposes. In this case, it is important to carefully balance the complexity of Wireshark, the complexity of real network traffic and the learning objectives.

Sample captures

Learning labs

The Wireshark Labs freely available on-line as a supplement to the book “Computer Networking: A Top Down Approach - Jim Kurose, Keith Ross” are an excellent suite of learning examples. Each of the labs consists of:

  • a document with step-by-step instructions for capturing packets from a live connection and for analyzing important properties of the captured traffic.
  • a file with traffic already captured.

Before looking at these labs, please read the notes below carefully.

The current structure of this course makes the exam quite heavyweight. Adding Wireshark labs might subtract time and might be distracting. If a student is sufficiently motivated and interested, though, autonomous execution of the following Wireshark labs may be very helpful: it may improve the understanding of some key concepts and it may make the overall topic “more concrete”.

  1. Getting started
  2. DNS
  3. HTTP
  4. Ethernet and ARP.
  5. IP and/or ICMP.

All these labs should be done in the second part of the course, even those about DNS and HTTP. They can be executed in any order, except for the “Getting started” lab that must be the first one. Labs 4 and 4 should be done after the lectures on traceroute (the fragmentation section of Lab 5 should not be done, as it is based on concepts not included in the course).

The DHCP lab should not be executed and its reading may even be misleading (the course describes DHCP in a very over-simplified way: the real DHCP is quite different from the one described in the lectures).

Exercises on DNS traffic

Look at DNS recursive query client (by Chris Sanders)

  • How long is this capture in seconds?
  • What is the IP address of the DNS server?
  • What is the IP address associated with the first name being asked?
  • How many names are resolved?
  • How long did it take, on the average?

Suppose you have the ability to modify the DNS response to the first DNS request; you want to drive the requesting client to

  • Write the byte sequence corresponding to the DNS response that you should send.
  • Emphasize the portions of the DNS response that can be constructed in advance and those that depend on the matching request and thus must be constructed on the fly.

Look at DNS lab (by Chris Sanders)

  • Same questions as above

Look at HTTP-ESPN (by Chris Sanders)

  • Same questions as above


  • Statistics--> DNS
  • Statistics-->Flow graph
  • Display filters:
  • dns.flags.rcode != 0 Indicates which dns requests could not be correctly resolved
  • Useful functionality: Select DNS response in middle window, Right click; then Copy byte as HEX dump or Copy byte as HEX stream.